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> Diffie-Hellman was originally designed for secret 
key exchange. It is a public key cryptosystem 
based on the Discrete Logarithm Problem (DLP). 


> Two parties create a symmetric session key to 
exchange data without having to meet to agree 
on the key; it can be done through the Internet. 
Let us see how the protocol works when Alice 
and Bob need a symmetric key to communicate. 




Before establishing a symmetric key, the two parties need to choose 
two numbers p and g. The first number, p, is a large prime number on 
the order of 300 decimal digits (1024 bits). The second number is a 
random number. These two numbers need not be confidential. They 
can be sent through the Internet; they can be public. 

Step 1: 

Alice chooses a large random number x and calculates: 

R 1= g x mod p. 

Step 2: Alice sends R., to Bob. Note that Alice does not send the 
value of x; she sends only R r 

Step 3: Bob chooses another large random number y and 
calculates: 

R 2 = g y mod p 

Step 4: Bob sends R 2 to Alice. Again, note that Bob does not send 
the value of y, he sends only R 2 . 

Step 5 : Alice calculates: K = (R 2 ) x mod p 
Step 6 : Bob also calculates: K= (R^ y mod p 




The symmetric key for the session is K. 

(g x mod p)y mod p =(g y mod p) x mod p = g xy mod p 
Bob has calculated K = (R.,)^ mod p = ( g x mod p) y mod p = g xy mod p. Alice has 
calculated K = (R 2 ) x mod p =(g y mod p) x mod p= g xy mod p. Both have reached the 
same value without Bob knowing the value of x and without Alice knowing the value 
of y. 





























If x and y are very large numbers, it is 
extremely difficult for Eve to find the key, 
knowing only p and g. An intruder needs to 
determine x and y if R 1 and R 2 are intercepted. 
But finding x from R1 and y from R 2 are two 
difficult tasks. However, the protocol has a 
weakness. Eve does not have to find the value 
of x and y to attack the protocol. She can fool 
Alice and Bob by creating two keys: one 
between herself and Alice and another 
between herself and Bob.. 
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The following can happen: 

1. Alice chooses x, calculates R 1 = g x mod p, and 
sends R 1 to Bob. 

2. Eve, the intruder, intercepts R,. She chooses z, 
calculates R 2 = g 2 mod p, and sends R 2 to both Alice 
and Bob. 

3. Bob chooses y, calculates R 3 =gy mod p, and 
sends R 3 to Alice; R 3 is intercepted by Eve and never 
reaches Alice. 

4. Alice and Eve calculate K, = g xz mod p, which 
becomes a shared key between Alice and Eve. Alice, 
however, thinks that it is a key shared between Bob 
and herself. 

5. Eve and Bob calculate K2= g z v mod p’ which 
becomes a shared key between Eve and Bob. Bob, 
however, thinks that it is a key shared between Alice 
and him. 



> The man-in-the-middle attack can be 
avoided if Bob and Alice first authenticate 
each other. In other words, the exchange 
key process can be combined with an 
authentication scheme to prevent a man- 


in-the-middle attack. 





Key Management and 
Distribution 


> topics of cryptographic key management / 
key distribution are complex 

• cryptographic, protocol, & management issues 


> symmetric schemes require both parties to 
share a common secret key 

> public key schemes require parties to 









Key Distribution 


> symmetric schemes require both parties to 
share a common secret key 

> issue is how to securely distribute this key 

> whilst protecting it from others 

> frequent key changes can be desirable 

> often secure system failure due to a break 
in the key distribution scheme 













Key Distribution 


given parties A and B have various key 
distribution alternatives: 

A can select key and physically deliver to B 

third party can select & deliver key to A & B 

if A & B have secure communications with a 
third party C, C can relay key between A & B 








Key Distribution Center (KDC) 

Key Hierarchy 


> typically have a hierarchy of keys 

> session key 

• temporary key 

• used for encryption of data between users 
. for one logical session then discarded 


> master key 

used to encrypt session keys 
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Key Distribution Scenario 



Authentication 

s-le-pa 








> “Key Distribution Center” (KDC) which shares a 
unique key with each party (user): 

1. A requests from the KDC a session key to 
protect a logical connection to B. The message 
includes the identity of A and B and a unique 
nonce N1. 


2. The KDC responds with a message encrypted 
using Ka that includes a one-time session key Ks 
to be used for the session, the original request 
message to enable A to match response with 






3. A stores the session key for use in the 
upcoming session and forwards to B the 
information from the KDC for B, namely, E (Kb, 
[Ks II IDA]). Because this information is 
encrypted with Kb, it is protected from 
eavesdropping. 

At this point, a session key has been securely 
delivered to A and B, and they may begin their 
protected exchange. 


Two additional steps are desirable: 



the 


cm si nonce 







5. Also using Ks, A responds with f(N2), 
where f is a function that performs some 
transformation on N2 (eg. adding one). 
These steps assure B that the original 
message it received (step 3) was not a 
replay. Note that the actual key distribution 
involves only steps 1 through 3 but that 
steps 4 and 5, as well as 3, perform an 
authentication function. 









Symmetric Key Distribution 
Using Public Keys 

> public key cryptosystems are inefficient 

• so almost never use for direct data encryption 

• rather use to encrypt secret keys for distribution 






Simple Secret Key Distribution 


> Merkle proposed this very simple scheme 

• allows secure communications 

• no keys before/after exist 









> If A wishes to communicate with B, the following 
procedure is employed: 

1. A generates a public/private key pair {PUa, PRa} 
and transmits a message to B consisting of PUa 
and an identifier of A, IDA. 

2. B generates a secret key, Ks, and transmits it to 
A, encrypted with A's public key. 

3. A computes D(PRa, E(PUa, Ks)) to recover the 
secret key. Because only A can decrypt the 
message, only A and B will know the identity of 







>A and B can now securely communicate 
using conventional encryption and the 
session key Ks. At the completion of the 
exchange, both A and B discard Ks. 
Despite its simplicity, this is an attractive 
protocol. No keys exist before the start of 
the communication and none exist after 
the completion of communication. Thus, 
the risk of compromise of the keys is 
minimal. At the same time, the 





Man-in-the-MiddleSAttadk 


> this very simple scheme is vulnerable to 
an active man-in-the-middle attack 
























> Man-in-the-M ddle attack: 

In this case, if an adversary, E, has control of the 
intervening communication channel, then E can 
compromise the communication in the following 
fashion without being detected: 

1. A generates a public/private key pair {PUa, PRa} 
and transmits a message intended for B 
consisting of PUa and an identifier of A, IDA. 

2 . E intercepts the message, creates its own 
public/private key pair {PUe, PRe} and transmits 
PUe || IDA to B. 


E(PUs, k4 



4. E intercepts the message and learns Ks by 
computing D(PRe, E(PUe, Ks)). 

5. E transmits E(PUa, Ks) to A. 


>The result is that both A and B know Ks and are 
unaware that Ks has also been revealed to E. A 


and B can now exchange messages using Ks. E 
no longer actively interferes with the 
communications channel but simply eavesdrops. 
Knowing Ks, E can decrypt all messages, and 


both A and B are unaware of the problem. Thus, 
this simple protocol is only useful in an 


environment v. 






Secret Key Distribution with 
Confidentiality and 
Authentication 







> This protocol provides protection against both active and passive 
attacks. Assuming A and B have exchanged public keys by one of the 
schemes described subsequently in this chapter, then the following 
steps occur: 


i. A uses B's public key to encrypt a message to B containing an identifier 
of A (IA) and a nonce (N1), which is used to identify this transaction 
uniquely. 




B sends a message to A encrypted with PUa and containing A's nonce 
(N1) as well as a new nonce generated by B (N2). Because only B 
could have decrypted message (1), the presence of N1 in message (2) 
assures A that the correspondent is B. 

A returns N2, encrypted using B's public key, to assure B that its 
correspondent is A. 

A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. 
Encryption with B's public key ensures that only B can read it; 
encryption with A's private kev ensures that onlv A could 

lb, 






Hybrid Key Distribution 


> retain use of private-key KDC 

> shares secret master key with each user 

> distributes session key using master key 

> public-key used to distribute master keys 

• especially useful with widely distributed 
users. 






Distribution of Public Keys 

> can be considered as using one of: 

• public announcement 

• publicly available directory 

• public-key authority 

• public-key certificates 




The naive approach is to announce public keys 
publicly. Bob can put his public key on his website 
or announce it in a local or national newspaper. 
When Alice needs to send a confidential message 
to Bob, she can obtain Bob's public key from his 
site or from the newspaper, or she can even send a 
message to ask for it. Figure 4.10 shows the 
situation. 






> major weakness is forgery 

• anyone can create a key claiming to be 
someone else and broadcast it 


j 



is discovered can 

masquerade as claimed user 



















Publicly Available Directory 


> can obtain greater security by registering 
keys with a public directory 

> directory must be trusted with properties: 

• contains {name,public-key} entries 

• participants register securely with directory 

• participants can replace key at any time 

• directory is periodically published 







The directory, like the one used in a 
telephone system, is dynamically 
updated. Each user can select a 
private/public key, keep the private key, 
and deliver the public key for insertion 
into the directory. The center requires 
that each user register in the center 
and prove his or her identity. The 
directory can be publicly advertised by 
the trusted center. The center can also 
respond to any inquiry about a public 
key. 




























Public-Key Authority 


> improve security by tightening control over 
distribution of keys from directory 

> has properties of directory 

> and requires users to know public key for 
the directory 


> then users interact with directory to obtain 
any desired public key securely 




ess to directo 





Public-Key Authority 









Public-Key Certificates 


> The previous approach can create a heavy load 
on the center if the number of requests is large. 
The alternative is to create public-key 
certificates. 


> certificates allow key exchange without real-time 
access to public-key authority 

> a certificate binds identity to public key 


• usually with other info such as period of 
validity, rights of use etc 


> with all contents signed by a trusted Public-Key 






Public-Key Certificates 


Certificate 

Authority 


PU b 
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Although the use of a CA has solved the problem 
of public-key fraud, it has created a side effect. 
Each certificate may have a different format. If 
Alice wants to use a program to automatically 
download different certificates belonging to 
different people, the program may not be able to 
do so. 


One certificate may have the public key in one 
format and another in another format. The public 
key may be on the first line in one certificate and 
on the third line in another. Anything that needs to 
e used universally must have a universal 








X.509 Authentication Service 


> part of CCITT X.500 directory service standards 

• distributed servers maintaining user info database 

> defines framework for authentication services 

• directory may store public-key certificates 

• with public key of user signed by certification authority 

> also defines authentication protocols 

> uses public-key crypto & digital signatures ^ 


-> have 3 versions 










X.509 



Unsigned certificate: 
contains user ID, 

uset> s puMfe tey Generate hash 



Signed certificate: 
Recipient can verify 
signature using CA's 
pubiic key. 


























X.509 Certificates 


issued by a Certification Authority (CA), containing: 


version V (1,2, or 3) 

serial number SN (unique within CA) identifying certificate 

signature algorithm identifier Al 

issuer X.500 name CA) 

period of validity TA (from - to dates) 

subject X.500 name A (name of owner) 

subject public-key info Ap (algorithm, parameters, key) 


issuer unique identifier (v2+) 
subject unique identifier (v2+) 
tension fields (v3) 



CA«A>> 


h of all fields in eMfieafl) 
denotes certificate for A signed by 







X.509 Certificates 
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Obtaining a Certificate 


> any user with access to CA can get any 
certificate from it 

> only the CA can modify a certificate 

> because cannot be forged, certificates can 
be placed in a public directory 



When we want to use public keys 
universally, we cannot have only one CA to 
answer the queries. We need many servers. 
In addition, we found that the best solution is 
to put the servers in a hierarchical 
relationship with one another. Likewise, a 
solution to public-key queries is a 
hierarchical structure called a public-key 
infrastructure (PKI). 



CA Hierarchy Use 



At the first level, we can have a root CAthat can certify the performance of 
CAs in the second level; these level-1 CAs may operate in a large geographic 
or logical area. The level-2 CAs may operate in smaller geographic areas. 

In this hierarchy, everybody trusts the root. But people may or may not trust 
intermediate CAs. If Alice needs to get Bob's certificate, she may find a CA 
somewhere to issue the certificate. But Alice may not trust that CA. In a 
hierarchy Alice can ask the next-higher CA to certify the original CA. The 
inquiry may go all the way to the root. 

































Hertififlate Revocation 


> certificates have a period of validity 

> may need to revoke before expiry, eg: 

1. user's private key is compromised 

2. user is no longer certified by this CA 
3 CA's certificate is compromised 

> CA’s maintain list of revoked certificates 

. the Certificate Revocation List (CRL) 








Summary 


> have considered: 

• symmetric key distribution using symmetric 
encryption 

• symmetric key distribution using public-key 
encryption 

• distribution of public keys 

• announcement, directory, authrority, CA 

• X.509 authentication and certificates 




